Web sites, or Internet sites, very often provide information, products, services, and the like to their users. Many web sites require users to “register” before their web servers will grant access to the users. During registration, a user typically supplies personal information such as username, account number, address, telephone number, e-mail address, computer platform, age, gender, and/or hobbies to the registering web site. The registration information may be necessary to complete transactions (e.g., commercial or financial transactions). Typically, the information also permits the web site to contact the user directly (e.g., via electronic mail) to announce, for example, special promotions, new products, or new web site features. Additionally, web sites often collect user information so web site operators can better target future marketing activities or adjust the content provided by the sites.
When registering a user for the first time, a web site typically requests that the user select a login identifier, or login ID, and an associated password. The login ID allows the web site to identify the user and retrieve information about the user during subsequent user visits to the web site. Generally, the login ID must be unique to the web site such that no two users have the same login ID. The combination of the login ID and password associated with the login ID allows the web site to authenticate the user during subsequent visits to the web site. The password also prevents others (who do not know the password) from accessing the web site using the user's login ID. This password protection is particularly important if the web site stores private or confidential information about the user, such as financial information or medical records.
Using a presently available multi-site user authentication system (e.g., Microsoft®.NET™ Passport single sign-in service), a web user can maintain a single login ID (and associated password) for accessing multiple, affiliated web servers or services. Such a system permits the user to establish a unique account identified by, for example, an e-mail address.
Large Internet service providers often have many different web sites through which they offer services to consumers. Moreover, a single web service can actually be made up of many different content providers. For instance, ESPN® sports network is a premium service content provider with an MSN® Internet services subscription. Other sites may be used to provide content related to children's interests, e-shopping, news, and so forth. Consumers usually perceive these related sites as being essentially the same service. Further, as Internet usage migrates to a subscription-based model that includes content and services from a variety of different sites, the need exists for accurately sharing common information (e.g., billing and subscription information) between related sites.
As described above, a web site very often gathers personal information about its users for later use. A typical privacy statement for a web site describes how the site protects and uses personal information. The policy will likely specify first what information the site collects. For example, the site may maintain a profile for the user including information such as the user's e-mail address, first and last name, country or region, state or territory, ZIP code or postal code, language preference, time zone, gender, birth date, occupation, telephone number(s), credit card information, billing and shipping addresses, password, PIN, secret question and secret answer, clothing sizes, music preferences, and the like. Inasmuch as this profile information can be quite sensitive, the typical policy also specifies how the information will or will not be used. For example, a web site's privacy policy may forbid the site from selling or renting a user's personal information without prior consent. The same policy, however, may detail a number of permitted uses (e.g., resolving customer support inquiries, performing statistical analyses of the site's services, conforming to legal requirements, protecting the personal safety of users or the public). A typical policy often specifies certain circumstances under which disclosures or uses of information are permitted and those other circumstances under which they are not.
As the web becomes more tightly integrated across content and service providers, the ability to distinguish and thereby grant appropriate consent will become more difficult. Moreover, related sites may, but are not required to, have the same use policies, privacy policies, and/or ownership and may change their policies at any time. Users experience difficulty in managing the changing policies of different content providers. For example, agreeing to one privacy statement using a first time consent mechanism with one Internet service does not guarantee that the privacy policy will remain unchanged. Unfortunately, an end user today may not be notified when a web site/service or a client-side application, for instance, makes changes to its plans for using the user-provided profile information. Thus, the user is not aware that his or her information is now being used for purposes other than those originally agreed upon.
Accordingly, improved management of the consent process is desired to allow an end user to provide an informed consent to changes in privacy policies and the like.